CVE-2014-1927Improper Input Validation in Project Python-gnupg

CWE-20Improper Input Validation13 documents6 sources
Severity
7.5HIGHNVD
NVD4.6
EPSS
0.7%
top 27.35%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Python-gnupg Project Python-gnupg
Timeline
PublishedOct 25
Latest updateNov 6

Description

The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, which allows context-dependent attackers to execute arbitrary code via shell metacharacters in unspecified vectors, as demonstrated using "$(" command-substitution sequences, a different vulnerability than CVE-2014-1928. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-7323.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages3 packages

PyPIpython-gnupg_project/python-gnupg0.3.50.3.6

🔴Vulnerability Details

8
OSV
python-gnupg's shell_quote function does not properly quote strings2018-11-06
GHSA
python-gnupg's shell_quote function does not properly quote strings2018-11-06
OSV
python-gnupg's shell_quote function does not properly escape characters2018-11-06
GHSA
python-gnupg's shell_quote function does not properly escape characters2018-11-06
OSV
CVE-2014-1927: The shell_quote function in python-gnupg 02014-10-25

📋Vendor Advisories

2
Debian
CVE-2014-1927: python-gnupg - The shell_quote function in python-gnupg 0.3.5 does not properly quote strings, ...2014
Debian
CVE-2014-1928: python-gnupg - The shell_quote function in python-gnupg 0.3.5 does not properly escape characte...2014

💬Community

1
Bugzilla
CVE-2013-7323 CVE-2014-1927 CVE-2014-1928 CVE-2014-1929 python-gnupg: incorrect fix against shell injection2014-02-05
CVE-2014-1927 — Improper Input Validation | cvebase